Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora Malware


  • This topic is locked This topic is locked

#1
d_goff

d_goff

    New Member

  • Member
  • Pip
  • 8 posts
Please help. I have tried everything that the board has suggested and multiple programs and nothing seems to work to remove this Aurora pain. I have run Find-It and the log is below as well as the most recent HJT file. How do I get rid of this!!! Thanks for your help.


Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 05/05/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\GUYLPGW.EXE
* UPX! C:\WINDOWS\NAIL.EXE
* UPX! C:\WINDOWS\PPRWGI~1.EXE
* UPX! C:\WINDOWS\SVCPROC.EXE

* Sniffed C:\WINDOWS\System32\DRPMON.DLL
»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* buddy C:\WINDOWS\BUDDY.EXE
* buddy C:\WINDOWS\PPRWGI~1.EXE

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

* SAHAgent C:\WINDOWS\System32\Q17I9A4J.EXE
* SAHAgent C:\WINDOWS\SAHUNI~1.EXE
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

svcproc.exe
Nail.exe
»»»»» Checking for System32\DrPMon.dll.

DrPMon.dll
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 38CA-F210

Directory of C:\WINDOWS\SYSTEM32

04/26/2005 10:44 PM <DIR> cache32_rtneg2
0 File(s) 0 bytes
1 Dir(s) 29,115,256,832 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 38CA-F210

Directory of C:\WINDOWS\system32

06/26/2003 02:12 PM 25,214 TpShocks.ICO
1 File(s) 25,214 bytes
0 Dir(s) 29,115,256,832 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\ceres


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<NO NAME> REG_SZ Bolger Functional Class


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}
<NO NAME> REG_SZ BolgerObj Class


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}
<NO NAME> REG_SZ IBolgerDllObj


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

*****************************************************************
*****************************************************************
Logfile of HijackThis v1.99.1
Scan saved at 10:06:09 AM, on 5/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system\gwjt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\??chost.exe
c:\windows\system32\guylpgw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Infotriever\Agent\infoclient.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\goffdk\A4.Personal\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = internet.ps.net:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 155.16.20.73 hercules #SecuRemote
O1 - Hosts: 155.16.40.10 remedy1 #SecuRemote
O1 - Hosts: 155.16.72.11 dalexch51 #SecuRemote
O1 - Hosts: 155.16.72.26 dalexch53 #SecuRemote
O1 - Hosts: 155.16.72.27 dalexch30 #SecuRemote
O1 - Hosts: 155.16.72.56 dalexch03 #SecuRemote
O1 - Hosts: 155.16.72.71 pscdalpexch01 #SecuRemote
O1 - Hosts: 155.16.72.73 pscdalpexch02 #SecuRemote
O1 - Hosts: 155.16.72.75 pscdalpexch50 #SecuRemote
O1 - Hosts: 155.16.72.77 pscdalpexch51 #SecuRemote
O1 - Hosts: 155.16.80.3 relay-south #SecuRemote
O1 - Hosts: 155.16.134.36 train #SecuRemote
O1 - Hosts: 155.17.19.90 psoft #SecuRemote
O1 - Hosts: 155.17.81.73 pscdalpfile02 #SecuRemote
O1 - Hosts: 155.17.82.11 resexch01 #SecuRemote
O1 - Hosts: 155.17.141.139 strange-w2k #SecuRemote
O1 - Hosts: 155.17.96.38 relay-north #SecuRemote
O1 - Hosts: 160.110.36.12 ffmexch01 #SecuRemote
O1 - Hosts: 160.110.96.94 notexch52 #SecuRemote
O1 - Hosts: 160.110.96.97 heaexch50 #SecuRemote
O1 - Hosts: 160.110.96.98 heaexch51 #SecuRemote
O1 - Hosts: 160.110.96.100 heaexch30 #SecuRemote
O1 - Hosts: 160.110.96.111 psesql01 #SecuRemote
O1 - Hosts: 160.110.104.20 amfexch01 #SecuRemote
O1 - Hosts: 160.110.160.109 notexch01 #SecuRemote
O1 - Hosts: 160.110.160.114 pse-nav #SecuRemote
O1 - Hosts: 160.110.160.131 time-entry #SecuRemote
O1 - Hosts: 160.110.160.147 pscnotpexch01 #SecuRemote
O1 - Hosts: 160.110.160.149 pscnotpexch50 #SecuRemote
O1 - Hosts: 160.110.179.31 pscchnpexch01 #SecuRemote
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll (file missing)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\system32\psoft1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [pwirjyx] c:\windows\system32\pwirjyx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteaak32.exe
O4 - HKLM\..\Run: [tgijcor] c:\windows\system32\guylpgw.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Azkg] C:\WINDOWS\system32\??chost.exe
O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxdm414YYUS
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.assetmetrix.com
O15 - Trusted Zone: http://*.ps.net
O15 - Trusted Zone: http://Fusion.ps.net
O15 - Trusted Zone: http://projecttest.ps.net
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - http://download.info...in/ifhelper.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = perotsystems.net
O17 - HKLM\Software\..\Telephony: DomainName = perotsystems.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = perotsystems.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = perotsystems.net
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome d_goff to Geeks to Go!

Open Notepad, copy and past the text from the box to an empty file
Save the file to your desktop
name FindFile.bat
type: all types.
dir C:\WINDOWS\system32\??chost.exe /a h > files.txt
notepad files.txt
Close Notepad
Doubleclick FindFile.bat
It will open a notepad file. Place the content of that file here in your answer using ‘add reply’.

I'll make an advise for you and post back soon.

Edited by g2i2r4, 05 May 2005 - 11:45 AM.

  • 0

#3
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
if you didn't put these:
155.16.20.73 hercules #SecuRemote etc.
in your hosts file, then follow this advise!!!

Download Hoster
Unzip it to a convenient place and open the program.
Choose "Restore Original Hosts" and press "OK".
Close the program.

***

If you didn't put these in yourself?

O15 - Trusted Zone: http://www.assetmetrix.com
O15 - Trusted Zone: http://*.ps.net
O15 - Trusted Zone: http://Fusion.ps.net
O15 - Trusted Zone: http://projecttest.ps.net

Then follow this advise!!!

Download: deldomains.
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Reboot if you had to follow the advise(s).
  • 0

#4
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!


***

Go to start - run
Copy and past the text from the box:
regsvr32 /u ckpNotify.dll
press OK.

***

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

***

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd\windows
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
exit

***

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

***

Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

***

Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

***

Open HijackThis
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} -
C:\WINDOWS\Bolger.dll (file missing)

O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll (file missing)

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

O4 - HKLM\..\Run: [PSoft1] C:\WINDOWS\system32\psoft1.exe

O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe

O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe

O4 - HKLM\..\Run: [pwirjyx] c:\windows\system32\pwirjyx.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteaak32.exe

O4 - HKLM\..\Run: [tgijcor] c:\windows\system32\guylpgw.exe

O4 - HKCU\..\Run: [Azkg] C:\WINDOWS\system32\??chost.exe

O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxdm414YYUS

O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Then close all open windows except for HijackThis and click Fix Checked.

***

please run Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system\gwjt.exe
c:\windows\system32\guylpgw.exe
C:\WINDOWS\system32\psoft1.exe
c:\windows\system32\pwirjyx.exe
C:\windows\system32\eliteaak32.exe
C:\WINDOWS\SYSTEM32\ckpNotify.dll

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

***

Download this scanner:
ewido.
Install it and doubleclick the icon on your desktop.
Let it update.
Then, let it do a full run, and copy the log. Past it to a blank Notepad file and save it to post here.
Than let it rerun. Save that log too.

Post back here with a fresh log using HijackThis and both scan results.
  • 0

#5
d_goff

d_goff

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
g2i2r4,

Thanks for taking a look at this. Below is in response to your first reply about the ??chost.exe file. I am going through the other instructions now.

Volume in drive C has no label.
Volume Serial Number is 38CA-F210

Directory of C:\WINDOWS\system32

08/04/2004 12:56 AM 14,336 svchost.exe
11/12/2004 08:52 AM 385,024 ??chost.exe
2 File(s) 399,360 bytes

Directory of C:\Documents and Settings\goffdk\Desktop\Malware Removal
  • 0

#6
d_goff

d_goff

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
g2i2r4,

All of the files that you referred to in your second reply are files that I placed there so I moved on to your third reply.

The first part of the instructions says to register ckpNotify.dll, which I did, but I got an error message (below). Should I proceed anyway?

"ckpNotify.dll was loaded, but the DLLUnregisterServer entry point was not found. This file can not be registered."
  • 0

#7
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
hmm, leave it for now. Just move on.


When you're done please use Windows explorer to locate this file:
C:\WINDOWS\system32\svchost.exe
created 11/12/2004
size 385,024

be sure to remove that file and not the other (legit file).
  • 0

#8
d_goff

d_goff

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
No Luck. Here is the HJT log. The Ewido scan never gave me a log, it just said nothing found.

Logfile of HijackThis v1.99.1
Scan saved at 3:35:05 PM, on 5/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\dgjhyo.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\goffdk\A4.Personal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = internet.ps.net:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 155.16.20.73 hercules #SecuRemote
O1 - Hosts: 155.16.40.10 remedy1 #SecuRemote
O1 - Hosts: 155.16.72.11 dalexch51 #SecuRemote
O1 - Hosts: 155.16.72.26 dalexch53 #SecuRemote
O1 - Hosts: 155.16.72.27 dalexch30 #SecuRemote
O1 - Hosts: 155.16.72.56 dalexch03 #SecuRemote
O1 - Hosts: 155.16.72.71 pscdalpexch01 #SecuRemote
O1 - Hosts: 155.16.72.73 pscdalpexch02 #SecuRemote
O1 - Hosts: 155.16.72.75 pscdalpexch50 #SecuRemote
O1 - Hosts: 155.16.72.77 pscdalpexch51 #SecuRemote
O1 - Hosts: 155.16.80.3 relay-south #SecuRemote
O1 - Hosts: 155.16.134.36 train #SecuRemote
O1 - Hosts: 155.17.19.90 psoft #SecuRemote
O1 - Hosts: 155.17.81.73 pscdalpfile02 #SecuRemote
O1 - Hosts: 155.17.82.11 resexch01 #SecuRemote
O1 - Hosts: 155.17.141.139 strange-w2k #SecuRemote
O1 - Hosts: 155.17.96.38 relay-north #SecuRemote
O1 - Hosts: 160.110.36.12 ffmexch01 #SecuRemote
O1 - Hosts: 160.110.96.94 notexch52 #SecuRemote
O1 - Hosts: 160.110.96.97 heaexch50 #SecuRemote
O1 - Hosts: 160.110.96.98 heaexch51 #SecuRemote
O1 - Hosts: 160.110.96.100 heaexch30 #SecuRemote
O1 - Hosts: 160.110.96.111 psesql01 #SecuRemote
O1 - Hosts: 160.110.104.20 amfexch01 #SecuRemote
O1 - Hosts: 160.110.160.109 notexch01 #SecuRemote
O1 - Hosts: 160.110.160.114 pse-nav #SecuRemote
O1 - Hosts: 160.110.160.131 time-entry #SecuRemote
O1 - Hosts: 160.110.160.147 pscnotpexch01 #SecuRemote
O1 - Hosts: 160.110.160.149 pscnotpexch50 #SecuRemote
O1 - Hosts: 160.110.179.31 pscchnpexch01 #SecuRemote
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [qkwdwu] c:\windows\system32\dgjhyo.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.assetmetrix.com
O15 - Trusted Zone: http://*.ps.net
O15 - Trusted Zone: http://Fusion.ps.net
O15 - Trusted Zone: http://projecttest.ps.net
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - http://download.info...in/ifhelper.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = perotsystems.net
O17 - HKLM\Software\..\Telephony: DomainName = perotsystems.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = perotsystems.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = perotsystems.net
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
  • 0

#9
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Did you do the remove.bat advise?
  • 0

#10
d_goff

d_goff

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Yes, I did all of the steps you told me to.
  • 0

Advertisements


#11
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please disable CheckPoint software. I guess it's keeping us from cleaning the machine.
You can re-enable it when we are done.


Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

***

Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

***

Open HijackThis
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [qkwdwu] c:\windows\system32\dgjhyo.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Then close all open windows except for HijackThis and click Fix Checked.

***

Use Windows Explorer to find and delete this file:
c:\windows\system32\dgjhyo.exe

If you can't find the file, open Killbox.
select the Delete on Reboot option.
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

***

Post back here with a fresh log using HijackThis.
  • 0

#12
d_goff

d_goff

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I think the file names have changed for dgjhyo.exe and SvcProc.exe because I don't see either of them. Here is my new HJT file from a couple minutes ago. Can you tell me again what to check? Sorry!

Logfile of HijackThis v1.99.1
Scan saved at 2:13:11 PM, on 5/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\goffdk\A4.Personal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = internet.ps.net:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [redpxl] c:\windows\system32\qtnbpj.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.assetmetrix.com
O15 - Trusted Zone: http://*.ps.net
O15 - Trusted Zone: http://Fusion.ps.net
O15 - Trusted Zone: http://projecttest.ps.net
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - http://download.info...in/ifhelper.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = perotsystems.net
O17 - HKLM\Software\..\Telephony: DomainName = perotsystems.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = perotsystems.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = perotsystems.net
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
  • 0

#13
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please replace
O4 - HKLM\..\Run: [qkwdwu] c:\windows\system32\dgjhyo.exe
with this one
O4 - HKLM\..\Run: [redpxl] c:\windows\system32\qtnbpj.exe.
Follow the advise though.
  • 0

#14
d_goff

d_goff

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
:tazz:

No popups anymore, but I still see the Nail.exe file. Are the popups going to come back? Is that a new O23 at the very end?

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

Logfile of HijackThis v1.99.1
Scan saved at 2:41:08 PM, on 5/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Infotriever\Agent\infoclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\goffdk\A4.Personal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = internet.ps.net:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 155.16.20.73 hercules #SecuRemote
O1 - Hosts: 155.16.40.10 remedy1 #SecuRemote
O1 - Hosts: 155.16.72.11 dalexch51 #SecuRemote
O1 - Hosts: 155.16.72.26 dalexch53 #SecuRemote
O1 - Hosts: 155.16.72.27 dalexch30 #SecuRemote
O1 - Hosts: 155.16.72.56 dalexch03 #SecuRemote
O1 - Hosts: 155.16.72.71 pscdalpexch01 #SecuRemote
O1 - Hosts: 155.16.72.73 pscdalpexch02 #SecuRemote
O1 - Hosts: 155.16.72.75 pscdalpexch50 #SecuRemote
O1 - Hosts: 155.16.72.77 pscdalpexch51 #SecuRemote
O1 - Hosts: 155.16.80.3 relay-south #SecuRemote
O1 - Hosts: 155.16.134.36 train #SecuRemote
O1 - Hosts: 155.17.19.90 psoft #SecuRemote
O1 - Hosts: 155.17.81.73 pscdalpfile02 #SecuRemote
O1 - Hosts: 155.17.82.11 resexch01 #SecuRemote
O1 - Hosts: 155.17.141.139 strange-w2k #SecuRemote
O1 - Hosts: 155.17.96.38 relay-north #SecuRemote
O1 - Hosts: 160.110.36.12 ffmexch01 #SecuRemote
O1 - Hosts: 160.110.96.94 notexch52 #SecuRemote
O1 - Hosts: 160.110.96.97 heaexch50 #SecuRemote
O1 - Hosts: 160.110.96.98 heaexch51 #SecuRemote
O1 - Hosts: 160.110.96.100 heaexch30 #SecuRemote
O1 - Hosts: 160.110.96.111 psesql01 #SecuRemote
O1 - Hosts: 160.110.104.20 amfexch01 #SecuRemote
O1 - Hosts: 160.110.160.109 notexch01 #SecuRemote
O1 - Hosts: 160.110.160.114 pse-nav #SecuRemote
O1 - Hosts: 160.110.160.131 time-entry #SecuRemote
O1 - Hosts: 160.110.160.147 pscnotpexch01 #SecuRemote
O1 - Hosts: 160.110.160.149 pscnotpexch50 #SecuRemote
O1 - Hosts: 160.110.179.31 pscchnpexch01 #SecuRemote
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.assetmetrix.com
O15 - Trusted Zone: http://*.ps.net
O15 - Trusted Zone: http://Fusion.ps.net
O15 - Trusted Zone: http://projecttest.ps.net
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - http://download.info...in/ifhelper.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = perotsystems.net
O17 - HKLM\Software\..\Telephony: DomainName = perotsystems.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = perotsystems.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = perotsystems.net
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
  • 0

#15
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
A quick respons:
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

is related to your IBM ThinkPad.

I'll check the log.

Did you rescan using Ewido, after disabling CheckPoint.

Edited by g2i2r4, 06 May 2005 - 02:27 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP